| Author |
Message |
Trevor
Joined: Apr 19, 2004
Posts: 2170
Location: New York
|
 Post subject: Critical phpBB Security Fixes for users of 8.2c
Posted: Sun Feb 27, 2005 11:30 pm |
 |
Hi all,
The phpBB Group has just released phpBB 2.0.13, which addresses two vulnerabilities reported after the very recent release of 2.0.12. One issue is very serious, as it allows anyone to gain administrative rights for your forums. The other is a full path disclosure. Again, these patches apply only to users of CPG-Nuke 8.2c.
Open includes/phpBB/sessions.php.
Find on line 86:
PHP:
if( $sessiondata['autologinid'] == $auto_login_key )
Replace with:
PHP:
if( $sessiondata['autologinid'] === $auto_login_key )
Open modules/Forums/viewtopic.php.
Find on line 1225:
PHP:
$message = str_replace('\"', '"', substr(preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "preg_replace('#\b(" . $highlight_match . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1));
Replace with:
PHP:
$message = str_replace('\"', '"', substr(@preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "@preg_replace('#\b(" . $highlight_match . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1));
You can also download the patched files.
Thanks.
Trevor's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Linux / 1.3.34 / 4.1.18 / 4.4.2 / CVS
Last edited by Trevor on Mon Mar 28, 2005 2:15 am; edited 1 time in total |
|
| Back to top |
|
 |
Yoshi
Joined: Dec 30, 2004
Posts: 122
|
Post subject: Re: Critical phpBB Security Fixes for users of 8.2c
Posted: Wed Mar 02, 2005 3:31 am |
|
Does this go for the same for 8.2b users?
Yoshi's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
XP/Dragonfly 9.5 all updated apache and mysql |
|
| Back to top |
|
|
Jeruvy
Joined: Apr 23, 2004
Posts: 1433
Location: Canada
|
Post subject: Re: Critical phpBB Security Fixes for users of 8.2c
Posted: Thu Mar 03, 2005 1:47 am |
|
You should apply 8.2c immediately. These updates are defined as critical ONLY for CPGnuke 8.2b.
They are not widespread changes only fixes and security updates so any mod's or themes you are using will not be affected by these patches.
HTH,
_________________
J.
j e r u v y a t y a h o o d o t c o m
Need help? Look here: www.dragonflycms.org/W...d=112.html
Need to chat? Look for me on irc.freenode.net
Jeruvy's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Ubuntu7.10/Debian3.1 - 2.2.3/1.3.37 - 5.0.38/4.0.27 - 5.2.1/4.4.7 - CVS/9.1.2} |
|
| Back to top |
|
|
Jeruvy
Joined: Apr 23, 2004
Posts: 1433
Location: Canada
|
Post subject: Re: Critical phpBB Security Fixes for users of 8.2c
Posted: Fri Mar 04, 2005 2:42 pm |
|
Also note: this patch has been exploited also.
These are fixes suggested, but I have not tested.
In usercp_register.php
I will let the devs sort this one out. But it does look like a real fix over the last *cough* patch *cough* which really didn't do anything IMHO.
_________________
J.
j e r u v y a t y a h o o d o t c o m
Need help? Look here: www.dragonflycms.org/W...d=112.html
Need to chat? Look for me on irc.freenode.net
Jeruvy's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Ubuntu7.10/Debian3.1 - 2.2.3/1.3.37 - 5.0.38/4.0.27 - 5.2.1/4.4.7 - CVS/9.1.2} |
|
| Back to top |
|
|
bist
Joined: Aug 23, 2004
Posts: 14
|
Post subject: Re: Critical phpBB Security Fixes for users of 8.2c
Posted: Wed Mar 09, 2005 2:19 am |
|
so if I have 8.2b i should unpack 8.2c and copy it over my installation?
just wanna be sure
bist's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Apache2.0 |
|
| Back to top |
|
|
NanoCaiordo
Joined: Jun 29, 2004
Posts: 3675
Location: Melbourne, AU
|
Post subject: Re: Critical phpBB Security Fixes for users of 8.2c
Posted: Wed Mar 09, 2005 7:39 am |
|
Personally I cannot find uesrcp_register.php ...inside which directory I will find it.
_________________
.:: I met php the 03 December 2003 :: Unforgettable day! ::.
NanoCaiordo's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
MySQL 5.1 / PHP 5.3 / NextGen() |
|
| Back to top |
|
|
djdevon3
Joined: Aug 05, 2004
Posts: 4365
|
Post subject: Re: Critical phpBB Security Fixes for users of 8.2c
Posted: Thu Mar 10, 2005 12:38 am |
|
usercp_register.php
umm where is that file located?
djdevon3's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Linux/1.3.33/4.4/4.3.11 |
|
| Back to top |
|
|
xfsunoles
Joined: Apr 30, 2004
Posts: 2502
Location: Melbourne, Florida
|
Post subject: Re: Critical phpBB Security Fixes for users of 8.2c
Posted: Thu Mar 10, 2005 4:23 am |
|
i believe it located in includes/phpBB folder.
_________________
Firefox is my Favorite Browser
xfsunoles's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Apache/1.3.34 (Unix)/4.0.25-standard/4.4.1/CVS |
|
| Back to top |
|
|
NanoCaiordo
Joined: Jun 29, 2004
Posts: 3675
Location: Melbourne, AU
|
Post subject: Re: Critical phpBB Security Fixes for users of 8.2c
Posted: Thu Mar 10, 2005 4:33 am |
|
its does not exist becouse user registration it is not longer done by the forum module but by my account module, something like coppermine registration that is not longer done by coppermine but, again, by my account. so we do not need this patch!
_________________
.:: I met php the 03 December 2003 :: Unforgettable day! ::.
NanoCaiordo's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
MySQL 5.1 / PHP 5.3 / NextGen() |
|
| Back to top |
|
|
djdevon3
Joined: Aug 05, 2004
Posts: 4365
|
Post subject: Re: Critical phpBB Security Fixes for users of 8.2c
Posted: Fri Mar 11, 2005 12:10 am |
|
That's what I thought. The file does not exist for cpg. Stand-alone only I believe. That doesn't mean that 8.x users shouldn't patch using the code that is applicable. Only the patch dealing with the usercp_register.php doesn't apply to us.
djdevon3's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Linux/1.3.33/4.4/4.3.11 |
|
| Back to top |
|
|
DaveTomneyUK
Joined: Aug 14, 2004
Posts: 215
Location: UK, England
|
Post subject: Re: Critical phpBB Security Fixes for users of 8.2c
Posted: Mon Mar 21, 2005 3:29 pm |
|
Does the top fix that Trevor posted need adding to CPG-Dragonfly 9.0.2.0 Mainly the viewtopic.php file?
DaveTomneyUK's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Linux / Apache2.2.8 / MySQL5.0.45 / PHP5.2.6 / CVS |
|
| Back to top |
|
|
Trevor
Joined: Apr 19, 2004
Posts: 2170
Location: New York
|
Post subject: Re: Critical phpBB Security Fixes for users of 8.2c
Posted: Tue Mar 22, 2005 1:29 am |
|
No
Trevor's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Linux / 1.3.34 / 4.1.18 / 4.4.2 / CVS |
|
| Back to top |
|
|
Forum FAQ
Search
Log in to check your private messages
Login
